When it happen that someone is missing DL and you would like to verify, when this action happend and who did it. This script can helps a lot ! It can return up to 5000 records and 365 days old data 🙂
$Command = @(‚Remove-DistributionGroup‘)
$results = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1) -Operations $operations -SessionCommand ReturnLargeSet -ResultSize 5000
$data = @()
foreach ($line in $results ) {
$content = New-Object -TypeName PSObject
$Converteddata = convertfrom-json $line.AuditData
$content| Add-Member -MemberType NoteProperty -Name CreationTime -Value $line.CreationDate
$content | Add-Member -MemberType NoteProperty -Name Operation -Value $Converteddata.Operation
$content | Add-Member -MemberType NoteProperty -Name GroupOjectID -Value $Converteddata.ObjectId
$content| Add-Member -MemberType NoteProperty -Name ResponsibleUser -Value $Converteddata.UserID
$data += $content
}
$Data | Select CreationTime, Operation, GroupOjectID,ResponsibleUser